The field of cybersecurity is a complex one, and it’s more important now than ever before.
A massive data breach by credit-monitoring giant Equifax led to the personal data of over 143 million people being compromised. The leak has prompted concerns among businesses and government agencies about the action that should be taken to compensate victims and prevent repeat instances in the future.
There are plenty of controversial aspects relating to this incident. Beyond the massive breach itself, there are major questions about why the company waited so long to reveal it. There’s also talk about whether or not their staff was adequately equipped to handle it.
Managers have stepped down in the wake of the controversy, one of which had no cyber-security or IT credentials on her LinkedIn page. Given that she had undergraduate and graduate degrees in the field of music composition, questions were raised whether the company had the necessary personnel on hand to guard against attacks like the one they faced.
But this former manager isn’t the one being stuck with the bulk of the blame. Another former management employee, Richard Smith, weighed in on the vulnerability. The former CEO states that the company’s 225-person security team failed to stop the breach for one reason – because a single member didn’t do their job.
Smith said: “The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not.” He did not release the name of the individual in question.
He also mentioned that when he joined Equifax over a decade ago, there was no cyber security. The company invested a quarter-of-a-billion dollar into it over the past few years.
While the amount of resources they poured into security is admirable, a structure that puts so much responsibility on one person is obviously problematic. Cyber security for commercial organizations may end up giving way to similar protocols as accounting and bookkeeping. Experts recommend checks-and-balances for important matters like these, as entrusting it to multiple people is often a safer bet.
Smith gave a written testimony, stating the company deployed an update within 48 hours of the breach via an internal email. However, he said proceedings scans failed to identify any problems. It was apparently one person’s job to identify the vulnerabilities and communicate them to others.
The hackers found their entry point, effectively seeing the shortcoming that got by the team of 200-plus cybersecurity personnel.
Equifax has understandably been on the receiving end of a public backlash following the incident, but not all of their corrective action has made things better. The company launched a site to help people find out if they’d been affected by the leak. Sadly, the site was not well received.
Many people found it unhelpful, and it directed viewers to sign up for credit monitoring from Equifax. The initial language in the service contract stated individuals could not sue as a condition of signing up. Equifax has since retracted this, and more lawsuits followed.